# Fail2Ban configuration file
#
# Author: Russell Odom <russ@gloomytrousers.co.uk>
# Submits attack reports to DShield (http://www.dshield.org/)
#
# You MUST configure at least:
# <port> (the port that's being attacked - use number not name).
#
# You SHOULD also provide:
# <myip> (your public IP address, if it's not the address of eth0)
# <userid> (your DShield userID, if you have one - recommended, but reports will
# be used anonymously if not)
# <protocol> (the protocol in use - defaults to tcp)
#
# Best practice is to provide <port> and <protocol> in jail.conf like this:
# action = dshield[port=1234,protocol=tcp]
#
# ...and create "dshield.local" with contents something like this:
# [Init]
# myip = 10.0.0.1
# userid = 12345
#
# Other useful configuration values are <mailargs> (you can use for specifying
# a different sender address for the report e-mails, which should match what is
# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to
# configure how often the buffer is flushed).
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = if [ -f <tmpfile>.buffer ]; then
                 cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
                 date +%%s > <tmpfile>.lastsent
             fi
             rm -f <tmpfile>.buffer <tmpfile>.first

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
# See http://www.dshield.org/specs.html for more on report format/notes
#
# Note: We are currently using <time> for the timestamp because no tag is
# available to indicate the timestamp of the log message(s) which triggered the
# ban. Therefore the timestamps we are using in the report, whilst often only a
# few seconds out, are incorrect. See
# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
#
actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`
            DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE"
	    PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
	    if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
            printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer
            NOW=`date +%%s`
            if [ ! -f <tmpfile>.first ]; then
                echo <time> | cut -d. -f1 > <tmpfile>.first
            fi
            if [ ! -f <tmpfile>.lastsent ]; then
                echo 0 > <tmpfile>.lastsent
            fi
            LOGAGE=$(($NOW - `cat <tmpfile>.first`))
            LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`))
            LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' )
            if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then
                cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <mailargs> <dest>
                rm -f <tmpfile>.buffer <tmpfile>.first
                echo $NOW > <tmpfile>.lastsent
            fi

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = if [ -f <tmpfile>.first ]; then
                  NOW=`date +%%s`
                  LOGAGE=$(($NOW - `cat <tmpfile>.first`))
                  if [ $LOGAGE -gt <maxbufferage> ]; then
                      cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
                      rm -f <tmpfile>.buffer <tmpfile>.first
                      echo $NOW > <tmpfile>.lastsent
                  fi
              fi


[Init]
# Option:  port
# Notes.:  The target port for the attack (numerical). MUST be provided in the
#          jail config, as it cannot be detected here.
# Values:  [ NUM ]
#
port = ???

# Option:  userid
# Notes.:  Your DShield user ID. Should be provided either in the jail config or
#          in a .local file.
#          Register at https://secure.dshield.org/register.html
# Values:  [ NUM ]
#
userid = 0

# Option:  myip
# Notes.:  The target IP for the attack (your public IP). Should be provided
#          either in the jail config or in a .local file unless your PUBLIC IP
#          is the first IP assigned to eth0
# Values:  [ an IP address ]  Default: Tries to find the IP address of eth0,
#          which in most cases will be a private IP, and therefore incorrect
#
myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`

# Option:  protocol
# Notes.:  The protocol over which the attack is happening
# Values:  [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
#
protocol = tcp

# Option:  lines
# Notes.:  How many lines to buffer before making a report. Regardless of this,
#          reports are sent a minimum of <minreportinterval> apart, or if the
#          buffer contains an event over <maxbufferage> old, or on shutdown
# Values:  [ NUM ]
#
lines = 50

# Option:  minreportinterval
# Notes.:  Minimum period (in seconds) that must elapse before we submit another
#          batch of reports. DShield request a minimum of 1 hour (3600 secs)
#          between reports.
# Values:  [ NUM ]
#
minreportinterval = 3600

# Option:  maxbufferage
# Notes.:  Maximum age (in seconds) of the oldest report in the buffer before we
#          submit the batch, even if we haven't reached <lines> yet. Note that
#          this is only checked on each ban/unban, and that we always send
#          anything in the buffer on shutdown. Must be greater than
# Values:  [ NUM ]
#
maxbufferage = 21600

# Option:  srcport
# Notes.:  The source port of the attack. You're unlikely to have this info, so
#          you can leave the default
# Values:  [ NUM ]
#
srcport = ???

# Option:  tcpflags
# Notes.:  TCP flags on attack. You're unlikely to have this info, so you can
#          leave empty
# Values:  [ STRING ]
#
tcpflags =

# Option:  mailcmd
# Notes.:  Your system mail command. Is passed 2 args: subject and recipient
# Values:  CMD
#
mailcmd = mail -s

# Option:  mailargs
# Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
#          CC reports to another address:
#              -c me@example.com
#          Appear to come from a different address (the From address must match
#          the one configured at DShield - the '--' indicates arguments to be
#          passed to Sendmail):
#              -- -f me@example.com
# Values:  [ STRING ]
#
mailargs =

# Option:  dest
# Notes.:  Destination e-mail address for reports
# Values:  [ STRING ]
#
dest = reports@dshield.org

# Option:  tmpfile
# Notes.:  Base name of temporary files used for buffering
# Values:  [ STRING ]
#
tmpfile = /run/fail2ban/tmp-dshield

